dcrat | 01ffe9d6f323a1dafd7dbe75338596cb03cdbe970cdc964543ae03006c1ece85

Analysis

max time kernel
150s
max time network
159s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
Size

1.6MB
MD5

e38a8ba2db5ea28f0f52d37b4a9d0d45
SHA1

eeb67e1eb72370ce24df9b82c6a7664176dfe064
SHA256

1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6
SHA512

ee6f813b71c0c56c5794cb6b5ba48fdf527a9f0077aaf1a100e1f36c914e28bb6675f8ae90544ada72d0e315b436db8016dffe27467b6891cbbd1ef07d7b661e
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	496	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2756	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2756	schtasks.exe	31

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral7/memory/2120-1-0x0000000000D70000-0x0000000000F12000-memory.dmp	dcrat
behavioral7/files/0x000500000001958e-25.dat	dcrat
behavioral7/files/0x000f00000001418b-67.dat	dcrat
behavioral7/files/0x0006000000004ed7-90.dat	dcrat
behavioral7/files/0x000600000001956c-112.dat	dcrat
behavioral7/files/0x0008000000019605-158.dat	dcrat
behavioral7/memory/2768-276-0x0000000001340000-0x00000000014E2000-memory.dmp	dcrat
behavioral7/memory/2508-298-0x00000000013A0000-0x0000000001542000-memory.dmp	dcrat
behavioral7/memory/2960-332-0x0000000000210000-0x00000000003B2000-memory.dmp	dcrat
behavioral7/memory/2460-344-0x00000000001B0000-0x0000000000352000-memory.dmp	dcrat
behavioral7/memory/2276-356-0x0000000000B60000-0x0000000000D02000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1732	powershell.exe
2548	powershell.exe
2828	powershell.exe
628	powershell.exe
2508	powershell.exe
2440	powershell.exe
1668	powershell.exe
2876	powershell.exe
2632	powershell.exe
2624	powershell.exe
2652	powershell.exe
1940	powershell.exe
2376	powershell.exe
2836	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2768	lsm.exe
1960	lsm.exe
2508	lsm.exe
2420	lsm.exe
1432	lsm.exe
2960	lsm.exe
2460	lsm.exe
2276	lsm.exe
2564	lsm.exe
2932	lsm.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Journal\it-IT\RCX4880.tmp	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\RCX3359.tmp	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX460E.tmp	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Program Files\Windows Portable Devices\System.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\RCX4881.tmp	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Program Files\Windows NT\Accessories\es-ES\csrss.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Program Files\Windows Portable Devices\27d1bcfc3c54e0	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\es-ES\RCX4169.tmp	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\es-ES\csrss.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Program Files\VideoLAN\VLC\0a1fd5f707cd16	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Program Files\Windows NT\Accessories\es-ES\886983d96e3d3e	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Program Files\Windows Journal\it-IT\101b941d020240	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\sppsvc.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\es-ES\RCX40FB.tmp	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\lsm.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Program Files\VideoLAN\VLC\sppsvc.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Program Files\Windows Portable Devices\System.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Program Files\Windows Journal\it-IT\lsm.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\RCX32EB.tmp	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX460F.tmp	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\it-IT\winlogon.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Windows\it-IT\cc11b995f2a76d	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Windows\it-IT\winlogon.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Windows\addins\Idle.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Windows\addins\6ccacd8608530f	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\smss.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\RCX438C.tmp	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\smss.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Windows\addins\Idle.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Windows\addins\RCX2BA4.tmp	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Windows\addins\RCX2BC5.tmp	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Windows\it-IT\RCX3EE6.tmp	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Windows\it-IT\RCX3EE7.tmp	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\69ddcba757bf72	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\RCX438D.tmp	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1732	schtasks.exe
1648	schtasks.exe
2916	schtasks.exe
2608	schtasks.exe
2800	schtasks.exe
536	schtasks.exe
2720	schtasks.exe
2156	schtasks.exe
496	schtasks.exe
2668	schtasks.exe
2728	schtasks.exe
2380	schtasks.exe
588	schtasks.exe
1148	schtasks.exe
1068	schtasks.exe
2828	schtasks.exe
2548	schtasks.exe
1960	schtasks.exe
2900	schtasks.exe
2040	schtasks.exe
1460	schtasks.exe
2056	schtasks.exe
676	schtasks.exe
1372	schtasks.exe
2896	schtasks.exe
2224	schtasks.exe
2208	schtasks.exe
2684	schtasks.exe
2716	schtasks.exe
3012	schtasks.exe
2576	schtasks.exe
444	schtasks.exe
1496	schtasks.exe
1408	schtasks.exe
2236	schtasks.exe
2872	schtasks.exe
2060	schtasks.exe
1112	schtasks.exe
1256	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
2376	powershell.exe
628	powershell.exe
1732	powershell.exe
2624	powershell.exe
2508	powershell.exe
2828	powershell.exe
2652	powershell.exe
1668	powershell.exe
2836	powershell.exe
2876	powershell.exe
2440	powershell.exe
2548	powershell.exe
2632	powershell.exe
1940	powershell.exe
2768	lsm.exe
1960	lsm.exe
2508	lsm.exe
2420	lsm.exe
1432	lsm.exe
2960	lsm.exe
2460	lsm.exe
2276	lsm.exe
2564	lsm.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	2768	lsm.exe
Token: SeDebugPrivilege	1960	lsm.exe
Token: SeDebugPrivilege	2508	lsm.exe
Token: SeDebugPrivilege	2420	lsm.exe
Token: SeDebugPrivilege	1432	lsm.exe
Token: SeDebugPrivilege	2960	lsm.exe
Token: SeDebugPrivilege	2460	lsm.exe
Token: SeDebugPrivilege	2276	lsm.exe
Token: SeDebugPrivilege	2564	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2376	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	71
PID 2120 wrote to memory of 2376	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	71
PID 2120 wrote to memory of 2376	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	71
PID 2120 wrote to memory of 2836	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	72
PID 2120 wrote to memory of 2836	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	72
PID 2120 wrote to memory of 2836	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	72
PID 2120 wrote to memory of 2440	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	74
PID 2120 wrote to memory of 2440	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	74
PID 2120 wrote to memory of 2440	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	74
PID 2120 wrote to memory of 2508	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	75
PID 2120 wrote to memory of 2508	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	75
PID 2120 wrote to memory of 2508	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	75
PID 2120 wrote to memory of 1732	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	76
PID 2120 wrote to memory of 1732	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	76
PID 2120 wrote to memory of 1732	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	76
PID 2120 wrote to memory of 628	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	77
PID 2120 wrote to memory of 628	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	77
PID 2120 wrote to memory of 628	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	77
PID 2120 wrote to memory of 1940	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	78
PID 2120 wrote to memory of 1940	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	78
PID 2120 wrote to memory of 1940	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	78
PID 2120 wrote to memory of 2876	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	79
PID 2120 wrote to memory of 2876	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	79
PID 2120 wrote to memory of 2876	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	79
PID 2120 wrote to memory of 1668	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	80
PID 2120 wrote to memory of 1668	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	80
PID 2120 wrote to memory of 1668	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	80
PID 2120 wrote to memory of 2828	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	81
PID 2120 wrote to memory of 2828	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	81
PID 2120 wrote to memory of 2828	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	81
PID 2120 wrote to memory of 2652	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	83
PID 2120 wrote to memory of 2652	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	83
PID 2120 wrote to memory of 2652	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	83
PID 2120 wrote to memory of 2624	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	86
PID 2120 wrote to memory of 2624	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	86
PID 2120 wrote to memory of 2624	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	86
PID 2120 wrote to memory of 2548	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	88
PID 2120 wrote to memory of 2548	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	88
PID 2120 wrote to memory of 2548	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	88
PID 2120 wrote to memory of 2632	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	90
PID 2120 wrote to memory of 2632	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	90
PID 2120 wrote to memory of 2632	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	90
PID 2120 wrote to memory of 1112	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	99
PID 2120 wrote to memory of 1112	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	99
PID 2120 wrote to memory of 1112	2120	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	99
PID 1112 wrote to memory of 2220	1112	cmd.exe	101
PID 1112 wrote to memory of 2220	1112	cmd.exe	101
PID 1112 wrote to memory of 2220	1112	cmd.exe	101
PID 1112 wrote to memory of 2768	1112	cmd.exe	102
PID 1112 wrote to memory of 2768	1112	cmd.exe	102
PID 1112 wrote to memory of 2768	1112	cmd.exe	102
PID 2768 wrote to memory of 2796	2768	lsm.exe	103
PID 2768 wrote to memory of 2796	2768	lsm.exe	103
PID 2768 wrote to memory of 2796	2768	lsm.exe	103
PID 2768 wrote to memory of 2152	2768	lsm.exe	104
PID 2768 wrote to memory of 2152	2768	lsm.exe	104
PID 2768 wrote to memory of 2152	2768	lsm.exe	104
PID 2796 wrote to memory of 1960	2796	WScript.exe	105
PID 2796 wrote to memory of 1960	2796	WScript.exe	105
PID 2796 wrote to memory of 1960	2796	WScript.exe	105
PID 1960 wrote to memory of 2412	1960	lsm.exe	106
PID 1960 wrote to memory of 2412	1960	lsm.exe	106
PID 1960 wrote to memory of 2412	1960	lsm.exe	106
PID 1960 wrote to memory of 3068	1960	lsm.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
"C:\Users\Admin\AppData\Local\Temp\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\My Music\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\es-ES\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\it-IT\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fPx99wSUcI.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2220
- - C:\MSOCache\All Users\lsm.exe
    "C:\MSOCache\All Users\lsm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8839d396-1d71-4fa3-9a79-9756a4756da1.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\MSOCache\All Users\lsm.exe
        
        "C:\MSOCache\All Users\lsm.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1960
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b1c316e-e8a8-4d47-8500-d21f34166387.vbs"
        6⤵
        
        PID:2412
        
        C:\MSOCache\All Users\lsm.exe
        
        "C:\MSOCache\All Users\lsm.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d557b85f-2ffa-4b95-ad2c-c0f8f8bfbc10.vbs"
        8⤵
        
        PID:1640
        
        C:\MSOCache\All Users\lsm.exe
        
        "C:\MSOCache\All Users\lsm.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7dae2914-ee79-4cf7-8c23-e8aada647930.vbs"
        10⤵
        
        PID:3012
        
        C:\MSOCache\All Users\lsm.exe
        
        "C:\MSOCache\All Users\lsm.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8afebfef-c0c6-4599-9b32-eb60cc6f5dda.vbs"
        12⤵
        
        PID:1704
        
        C:\MSOCache\All Users\lsm.exe
        
        "C:\MSOCache\All Users\lsm.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f94d876-21e0-40a4-89b1-1acb9ef48b02.vbs"
        14⤵
        
        PID:2284
        
        C:\MSOCache\All Users\lsm.exe
        
        "C:\MSOCache\All Users\lsm.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c96c0ca5-5438-4e18-a558-ea5abf981ba0.vbs"
        16⤵
        
        PID:1056
        
        C:\MSOCache\All Users\lsm.exe
        
        "C:\MSOCache\All Users\lsm.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fdbde285-265d-4058-af7e-c298363e1829.vbs"
        18⤵
        
        PID:2112
        
        C:\MSOCache\All Users\lsm.exe
        
        "C:\MSOCache\All Users\lsm.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f942a7b4-551b-40cd-98b0-46f04699c923.vbs"
        20⤵
        
        PID:1612
        
        C:\MSOCache\All Users\lsm.exe
        
        "C:\MSOCache\All Users\lsm.exe"
        21⤵
        Executes dropped EXE
        
        PID:2932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7ffd4f2-18fa-4d52-acff-6335f61a0ac5.vbs"
        22⤵
        
        PID:2240
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65e70f9c-4740-4a5d-bcd0-ebe951d455a7.vbs"
        22⤵
        
        PID:3052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa9ac571-b983-48e1-b4e7-5612a28e19e3.vbs"
        20⤵
        
        PID:1956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\283f15a3-6574-491a-8112-606ef7fa4b63.vbs"
        18⤵
        
        PID:2300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55e0f8c1-57b4-401f-97bd-92363209d863.vbs"
        16⤵
        
        PID:2924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a772b06a-a060-4da6-922e-f5fbbe9bfd2a.vbs"
        14⤵
        
        PID:1600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46cfbfc7-81a7-434b-8214-4f275c068ebc.vbs"
        12⤵
        
        PID:2872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6deb2b9-6fc4-42d5-a9e7-4372acfe07b1.vbs"
        10⤵
        
        PID:2612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\641c9c72-6321-49ae-9288-5e4fc6e2badc.vbs"
        8⤵
        
        PID:608
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5fc5f353-ed53-45e7-ab8d-b84f7c64e2f4.vbs"
        6⤵
        
        PID:3068
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1caa882-75f6-4f68-80c7-4aa004dac8a9.vbs"
      4⤵
      PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\addins\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\addins\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Documents\My Music\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Music\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Documents\My Music\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\it-IT\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\it-IT\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\it-IT\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\it-IT\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe

Filesize
1.6MB

MD5
e38a8ba2db5ea28f0f52d37b4a9d0d45

SHA1
eeb67e1eb72370ce24df9b82c6a7664176dfe064

SHA256
1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6

SHA512
ee6f813b71c0c56c5794cb6b5ba48fdf527a9f0077aaf1a100e1f36c914e28bb6675f8ae90544ada72d0e315b436db8016dffe27467b6891cbbd1ef07d7b661e

Download Submit
C:\Program Files\VideoLAN\VLC\sppsvc.exe

Filesize
1.6MB

MD5
11ede51f788b9c98a3345b0872826e35

SHA1
4a4d4aef3422ec29d5353e6edb6c181b5223bd57

SHA256
707f1e3c7b1960f4c63773f997f591883e7fc49885fc062ebb0f59af9de990d1

SHA512
52bf35635c1daea3ac97d27ce20b6c5bf439ba047a3df9faaf691bb13b6ba8da9ce3a6e2bec1741b5f34be4c4c06f51e51fafb7ce2c786f9a4a13305865fcc18

Download Submit
C:\Program Files\Windows NT\Accessories\es-ES\csrss.exe

Filesize
1.6MB

MD5
872f845c9b6202e523f24b1ab86b7852

SHA1
484ecced5198dda55ad1ecf90fe851a45745e3a7

SHA256
7a27a2b989c79bc8d2fa92169b50ca6231eca7d0281d37fa188fdd9982b84f8e

SHA512
1b712eea1a640d69109f6242bdf267762f9db864fe4546242a294da295abb95d02c72294079d14b935ff75bf862898a1978bb228ddb1c7b565afb5e0568c4721

Download Submit
C:\Users\Admin\AppData\Local\Temp\7dae2914-ee79-4cf7-8c23-e8aada647930.vbs

Filesize
705B

MD5
056e65565f92b6576d84e53ba28c3df3

SHA1
ff5a31f4f67bb88a6b96ff42673fb06f739d6558

SHA256
6b0c1289fd5e5e99a7187bc6cbb38b9149f9823ec4e5731af81228981e84a794

SHA512
1f5a0047e4b1eae6c0ee36e22f37b2bd9f0e0cc62c078862415df33f48851dea8b5896baa67983f193269f2fb46a9159708a7f59c6780bbbf35999a068a86dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\8839d396-1d71-4fa3-9a79-9756a4756da1.vbs

Filesize
705B

MD5
adcfedacffaaeee6cf261819bd2f1582

SHA1
a8fb547fa903302586010572a242bdd901712a22

SHA256
0db37775b1a4a68fa93abee9909862c82b35c96afb5695e6735c74091e7a4514

SHA512
327350c23b946a4b2ed4780cb5718c333ddf3e4a658ce1c185e6c5f202a68eafc168853087dd40c1b4be506b167d28d1a523e89c61e0ed40761d8d80f55dee8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8afebfef-c0c6-4599-9b32-eb60cc6f5dda.vbs

Filesize
705B

MD5
aab71373e9068de088aa02680f616696

SHA1
59925b330047ed24e1d0c480c303cc69c98adb3e

SHA256
b1bb89f78db6d7b886a101bbbaf78e0c28637ff51249f58980c6d0e2d57c45a1

SHA512
23d74292a3088a4a0124c8274290e7e503a71d1b6ffbcf9ec4ab5c36b93449dc2be4c4fad5a858a4dfed84a38b2ad1ae08a7f5c350f897fcf8bb3438966fff5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b1c316e-e8a8-4d47-8500-d21f34166387.vbs

Filesize
705B

MD5
101b77e94678035b99fc2fd9eadaa2ad

SHA1
e541cf2b7da65d087df0a6174bbe74b42092f934

SHA256
42ac1a5f940cf146ec2cc09bdda253ee0770dda809387f6119ec2ba23d591439

SHA512
2a8e6a66b6c00de058981399221b22f361fc429829f8e0fd82835058fc4de564961198c6671a31089fd2c339c8005bcf129a7862c549acc51a756feacf9bbd3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9f94d876-21e0-40a4-89b1-1acb9ef48b02.vbs

Filesize
705B

MD5
5c82856c1f9eaa74ee3dfea7811b2ce0

SHA1
bc4e11954a89aa7f900577325d4a83bc750e3d43

SHA256
3b202d6ca7d2b94ad8d3a769074737ff130c5268db3f186a9e3ee1347bec89ac

SHA512
ae22ba50d57712ab31e9daf9de6d4a663f61c34976a904c47b1eb0947337e11b170317d2f5fcff695b339042fd6c002c4f076dcd89958efc71748a245e788a3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c96c0ca5-5438-4e18-a558-ea5abf981ba0.vbs

Filesize
705B

MD5
4221ad5fdf77b532564098db44d79279

SHA1
338865544b8d07d1f6857f60c00b0825145976cf

SHA256
ac594270ce5b91a86ca706a45d63a986ec76289af72d064d379cc49c2bc1f292

SHA512
3490b4e1af45a72e4ecad589d265f6d017318bcb9964d3bffa2cccb17f43dfc84a7ca8d4e453fa2ed3809765db9ff79057c2437fe85ed667e0bf3ff40e415b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d557b85f-2ffa-4b95-ad2c-c0f8f8bfbc10.vbs

Filesize
705B

MD5
7c193a68dc994d030d07d2f08fe729b5

SHA1
999e325f976d37068979d532d0037733cd7e8892

SHA256
351193038e788f7173c06d9afa26550c6677a54fae57fe0f7b1b56185a7e7ff0

SHA512
a59ebfd4f16c2b305d06b7b15e9b01a6066a72ff44b99c72a5d7cc46c6ecd84a1010800ef02da8be4f4a76f14ac108c51f11d4084496ab8b1c30622175140e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1caa882-75f6-4f68-80c7-4aa004dac8a9.vbs

Filesize
481B

MD5
4faf7b61402fdd65722d75e4ec9dde81

SHA1
29a2277ef1fba63d56292af702d9eccd198dbc5b

SHA256
5946909641766329a4e83474e2cab59998e2d7f4525ea81318d09300646b5e04

SHA512
0776a2d383844400ad27db3aa24be5fdc931f9641d87e7748be480d8e0a2ae4425666c7d8ba526ae0e4ba71f5dc20e09dead56e63c09f648103eed9f6d49f6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\f942a7b4-551b-40cd-98b0-46f04699c923.vbs

Filesize
705B

MD5
8628c2698d4090fbadaa8f3470158aa3

SHA1
67bbc65fa54acec62e0d19e42525fabe7f83bf0f

SHA256
2d4f00e3a923cf2c3b541941509bff03f49a3dc763f711f9ca1f8a7a064622ef

SHA512
b7748d0a64d41035182417ca48d229d2f6c3735fbde33bfe73c331c9fb6af8e1aaa0992c8fb22bcceffa47af6f8057677b6512893961ecb1abddef0329905e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\fPx99wSUcI.bat

Filesize
194B

MD5
2a27bc37dda72a128e1b8c0f132f0eaa

SHA1
502950dc999e577437a08720f48048c65bbf1635

SHA256
56ee0af74b9d2c57a9a2f238e4eccdc52561bb1a06ddf3322b41b358096ea62d

SHA512
6495dfd17ffa0f43c19aa1b14910d78cdbcc9dff068c070976cfd833308a8f7abf27cd0e0be8bfe27bc3e2173c623b82a4e27cb5bcd68978bfea8192377ced9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fdbde285-265d-4058-af7e-c298363e1829.vbs

Filesize
705B

MD5
03474fa078badd9a184bcf669ff90424

SHA1
b7d2e8b72c8e32aac3ca993c71b706fb3b35d476

SHA256
0987dc1c21f6e216566c4fd492925075978417a62ed5bb86d2e2e917868c1687

SHA512
2fd289a063b55384f61590a81c10e8bc5ae90551bb3fcf998560d5beb48f07abdd91e2db39be92973a756f1c3c4c43a09b52f3594fd195635c0678bfab4c1bbe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0ce03f2743f09c8b3e6c84609da0c023

SHA1
3d3723429d38850d2def20942ba435baff92fb42

SHA256
fc5f5fefe08a094809b5804d8b805824b0b63b24b956f9f609807c3d34a9a16f

SHA512
a337d21fdb0cc23248e840a4e7d0adcaa4c314ab5e2846ca59866e609924a279b20bed688b41494fa7af0423116dfeb241835b90d87630ae753fa0b5c7609031

Download Submit
C:\Users\Default\Music\sppsvc.exe

Filesize
1.6MB

MD5
de5e256401394b86f2d300537e722a49

SHA1
839852f9b3e63ef8de37dc50e8f8502f75c565bf

SHA256
381ab54504691ae3e9e724151ac1b7892123eb725d7bc5f843b14a78e685c715

SHA512
23c0d9785bc8be43036fe3b50026c535dca1f4015c1df6fcf57e3ffd988331ebb9fd5f0c874e0bf6e449f7b106a7919fb515685865da02cb26b7cad2c83ef4af

Download Submit
C:\Users\Default\wininit.exe

Filesize
1.6MB

MD5
3b7215cdf0589cec3b4430a94a1aebda

SHA1
9d3bd0677b5b43391677a3ed65612c872e9aab1b

SHA256
311cacdace149718a1b4c091a1ca6865c9e952edd567ced682301d8c1097c808

SHA512
12675b77135a9509261bc6849a1616a915b8d9546b2b551bef3fce1327e1348a935d826b1e240163771fe11a349a26439e656bc7dc9353dc22e34ea31b2155bf

Download Submit
memory/628-231-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2120-7-0x0000000000680000-0x0000000000690000-memory.dmp

Filesize
64KB

Download
memory/2120-4-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/2120-0-0x000007FEF6063000-0x000007FEF6064000-memory.dmp

Filesize
4KB

Download
memory/2120-15-0x0000000000C40000-0x0000000000C4A000-memory.dmp

Filesize
40KB

Download
memory/2120-195-0x000007FEF6063000-0x000007FEF6064000-memory.dmp

Filesize
4KB

Download
memory/2120-201-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2120-12-0x00000000006D0000-0x00000000006DE000-memory.dmp

Filesize
56KB

Download
memory/2120-1-0x0000000000D70000-0x0000000000F12000-memory.dmp

Filesize
1.6MB

Download
memory/2120-11-0x00000000006C0000-0x00000000006CA000-memory.dmp

Filesize
40KB

Download
memory/2120-16-0x0000000000C50000-0x0000000000C5C000-memory.dmp

Filesize
48KB

Download
memory/2120-2-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2120-10-0x00000000006B0000-0x00000000006BC000-memory.dmp

Filesize
48KB

Download
memory/2120-14-0x00000000006F0000-0x00000000006F8000-memory.dmp

Filesize
32KB

Download
memory/2120-3-0x0000000000440000-0x000000000045C000-memory.dmp

Filesize
112KB

Download
memory/2120-9-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/2120-6-0x00000000004D0000-0x00000000004D8000-memory.dmp

Filesize
32KB

Download
memory/2120-13-0x00000000006E0000-0x00000000006E8000-memory.dmp

Filesize
32KB

Download
memory/2120-5-0x00000000004B0000-0x00000000004C6000-memory.dmp

Filesize
88KB

Download
memory/2120-8-0x0000000000660000-0x0000000000668000-memory.dmp

Filesize
32KB

Download
memory/2276-356-0x0000000000B60000-0x0000000000D02000-memory.dmp

Filesize
1.6MB

Download
memory/2460-344-0x00000000001B0000-0x0000000000352000-memory.dmp

Filesize
1.6MB

Download
memory/2508-298-0x00000000013A0000-0x0000000001542000-memory.dmp

Filesize
1.6MB

Download
memory/2508-228-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2768-276-0x0000000001340000-0x00000000014E2000-memory.dmp

Filesize
1.6MB

Download
memory/2960-332-0x0000000000210000-0x00000000003B2000-memory.dmp

Filesize
1.6MB

Download